Internal Audit in the States and Local Government of Malaysia

8/11/2019 Internal Audit in the States and Local Government of Malaysia

1/33

Internal audit in the state and localgovernments of Malaysia

A Md Ali Universiti Utara, Malaysia

JD Gloeck Department of Auditing, University of PretoriaSouth Africa

A Ali Universiti Utara, Malaysia

A Ahmi Universiti Utara, Malaysia

MH Sahdan Universiti Utara, Malaysia

ABInternal audit is supposed to help members of organizations to improve their entitys effectiveness andefficiencGovfunhadThe nce, and a Malaysian social context that is replete with casesthat display a lack of transparency and public accountability from its major actors, help to explain these factsand pr leak future for internal audit.

Hoare vernment in particular should play so that the auditfunction may fulfill its potential as a tool that improves Malaysias economic standing at this time whenglobal tion, accountability and transparency are considered essential issues in just about any worthwhileecono

STRACT

y. But the findings from in-depth interviews conducted with internal auditors from 35 State and Localernmental Bodies (SLoGBs) located in Peninsular Malaysia in the third quarter of 2003 show that the audit

ction faces numerous challenges. This is in addition to the fact that a mere 35 out of the then 202 SLoGBsan internal audit capacity.

politics of accountability theory, power dista

edict a b

wever, a rosy future may yet be achieved through the involvement of key parties and if specific measuresput in place. This is the crucial role that the federal go

izamic, social or political activity.

Key words

Internal audit, state governments, local governments, federal government, Malaysia,National Audit Department, qualitative methods, in-depth interviews, Institute of Internal Auditor,

social context, accountability

1 INTRODUIn recent years, entities in both the publicectors have experienced many new challenges andemands resulting from the combination of a harsh

rapid developments initions and globalization. To

ols to exist aunit is

ose activities are strongly supported byboth management and other personnel within theorganization.

CTION

and private

For an effective system of internal contrwell-managed internal audit department orrequired, wh

sdeconomic climate and

chnology, market condteensure the survival of these organizations, internalauditing has increasingly been viewed by regulators,directors of listed companies and governing membersof many public sector entities world-wide as one ofthe solutions. Specifically, the need for strongcorporate governance in the management ofcorporations and public sector enterprises has

focussed attention on the internal audit function.Good corporate governance demands sound financialand operational control over the activities of an entity.

The development of modern internal auditing beginswith the formation of the Institute of Internal Auditors(IIA) in the USA in 1941. Shortly thereafter IIAchapters were established across the USA andworldwide. Internal audit is now widely seen as ahighly professional and skilled task. The originaldefinition of internal auditing provided by the IIA in itsStandards for the Professional Practice of Internal

Auditing (SPPIA) in 1978 states (IIA, 1979):

Southern African Journal of Accountability and Auditing Research Vol 7: 2007 (25-57) 25


2/33

Md Ali et al

Internal auditing is an independent appraisalfunction established within an organization toexamine and evaluate its activities as a service tothe organization. The objective of internal auditingis to assist members of the organization in theeffective discharge of their responsibilities. To thisend, internal auditing furnishes them with

analyses, appraisals, recommendations, counseland information concerning the activities

viewed.

Inwprdethprhe20de (IIA, 2003):

the IIA has also publishedtandards and a code of ethics for the practice of

inar10puxxstou e

ntroduction to the SPPIA (IIA, 2003a):

Indeed, all who practise internal auditing are expected

totoenbeinprUp. organizations have failed to bring

gnificant change to their internal auditing practices.

rganizations should maintain an effectiveystem of internal control, including the establishment

d been collected, and whileis report was being finalized - the Federal

of internal audit. However, the reality of theirplementation may be something different.

re

a more recent definition, included in the SPPIAhich came into effect on 1 January 2002, the bodyovides a broader goal for internal auditing. This newfinition shifts the focus from one of assurance toat of value added, and attempts to move theofession toward a standards-driven approach with aightened profile (Nagy & Cenker, 2002; Bou-Raad,00; and Krogstad et al., 1999). The subsequentfinition says

Internal auditing is an independent, objective,assurance and consulting activity designed to addvalue and improve an organizations operations. Ithelps an organization accomplish its objectivesby bringing a systematic, disciplined approach toevaluate and improve effectiveness of riskmanagement, control and governance process.

For over half a century nows

ternal auditing. Today, these standards and codee in use in thousands of organizations in more than0 countries, and across all business types andblic sectors (Ridley & Chambers, 1998, pp. xxix-x). This is not surprising, since the internal auditandards in particular, also include inputs fromtside the United States. As mentioned in th

IThe Internal Auditing Standards Board iscommitted to extensive consultation in thepreparation of the Standards. Prior to issuing anydocument, the Standards Board issues exposuredrafts internationally for public comment. TheStandards Board also seeks those with specialexpertise or interests for consultation wherenecessary.

understand the standards and code of ethics, andadopt or modify them to suit their own

vironments. Over the years, these documents haveen enriched by research and successive

terpretive guidelines and statements, detailing howofessional internal auditing should be practised.nfortunately, as noted by Ridley & Chambers (1998,

3), manysiThey state (p. 3): True, there are now more internalaudit units; yet most of their practices are still basedon fundamental auditing principles, as developed inthe early years of the twentieth century. They alsospecifically note that (p. 3): Despite a 1990s focus on

rapid change within many organizations, in someinternal audit units technology has still not penetrateddeeply into auditing practices, while in others internal

auditors are still not seen as part of the managementteam.

In Malaysia, a growing catalogue of organizationalfailures and mismanagement highlights the need foreffective internal audit in both the public and privatesectors. While to date there have been several

research reports on the status of internal audit ingeneral (see below), none have specifically probedthe nations public sector. This is despite the welldocumented requirement that management of publicsector osof an internal audit function (Dowsett & Morris, 1981;Buttery, 1985; Coombs & Jenkins, 1994; Jones &Pendlebury, 2000). And this lack of progress inestablishing an internal audit function is in spite of therequirement having been published nearly a quarterof a century ago in Treasury Circular No. 2 (1979)entitled Implementation of Internal Auditing in FederalGovernment Agencies.

Apparently this Circular was supposed to have beenreplaced in April 2001 by one that covered not just thefederal government but also the state and localgovernments, and which was to have providedgreater detail of the required functions of the internalaudit units so formed. It is not known why thisdocument was not implemented by the authorities atthat time. Eventually, in October 2004 one yearafter this studys data hathGovernment, through its Director General of theTreasury, issued circular No. 9 (2004) to replace the1979 circular. (New Straits Times: 18 December2004).

This new circular not only applies to federalgovernments departments, but also to the stategovernments. It is noticeable that the new circular(which may be found in the Treasury website http://www.treasury.gov.com) has nearly twice as manyparagraphs as the 1979 one. There are also someparagraphs (discussed below) which suggest that theauthorities are pushing to improve the public sectorpracticeim(Malaysian life abounds with cases of the triumph ofhope over experience.) See for example Azham(1999) on the external audit perspective on the 1985-

86 economic recession and its aftermath.

Regardless of the release of the 2004 Circular, itshould have been obvious that the state of internalaudit operations in the public sector was long overduefor review. This review should have led to theidentification of problems and obstacles confrontinginternal audit, and recommended real reforms,reforms far more rigorous than the mere issuance of adocument such as that required by the new internalaudit circular.

Furthermore, such a study is needed to assist thenation to find ways to be more competitive in all

sectors of the economy, made more urgent by theimplementation of Asean Free Trade Area (AFTA) inearly 2003. Internal audit that achieves its potential

Southern African Journal of Accountability and Auditing Research Vol 7: 2007 (25-57)26


3/33

Internal audit in the state and local governments of Malaysia

may actually be the right instrument for all sectors toachieve such competitiveness. Finally, the East Asianfinancial crisis in 1997/1998 proved that all strata ofsociety have to be more serious about implementingood governance. Mere lip service or rhetoric is worth

the internal auditors. Arther objective of the study is to try to provide anpl te of affairs. Finally, the

tudy attempts to predict the future of internal audit in

the internal audit function in

e Malaysian public sector. In regard to the state and

uldreatly assist policy makers and other parties to

vethe udit function. This is in line with the

rime Ministers goal of reforming Malaysia.

withinovernment departments should help the authorities

addition, this study is particularly significant since

thNre tsthaofN re in a

alacca state government agency is a case in point

erns thecreasing internationalization of internal auditing that

beCthF runprpr the IIA Global Steering

ommittee (IIA, 1999). This study may thus also be

rove the internal auditfunction throughout the government sector.

ions will be testedand extended by other academics, focusing on

in the

glittle in todays socio-economic environment. Todayschallenge is not just for companies, but also for public

sector entities to acknowledge the need for, and toimplement good governance.

2 PURPOSES OF STUDY

The primary objective of this study is to compile adata base of the forms and extent of internal auditbeing practiced in government entities operatingthroughout Peninsular Malaysia. These entitiesinclude state and local government departments andtheir various statutory bodies. The focus is on theday-to-day problems faced byfuex anation for the present sta

sgovernment enterprises and departments. All in all,the study has three basic aims related to answeringthe following questions:

What kind of internal auditing is being practiced?

Why is there this type of internal auditing?

What is the likely future of internal audit?

3 MOTIVATION AND SIGNIFICANCE OF THESTUDY

There does not yet appear to have been any attemptto provide an overview of

thlocal governments and related bodies in PeninsularMalaysia this study is probably the first to have beenconducted. The availability of such information shogdetermine what exactly needs to be done to impro

internal aPThe Prime Minister mentioned in a speech in early2004 that his agenda for the country included thecreation of a more efficient public administration, theeradication of corruption and the cutting of red tape(NST, 12 February 2004). It should be obvious thatthe achievement of such an agenda needs up-to-date

information on all aspects of the economy. Theconcerns of the internal auditors appear to be ofparticular importance since their positiongunderstand the day-to-day processes. But they havenever enjoyed public recognition, in contrast toexternal auditors working for the National AuditDepartment. Actually the Prime Minister himself seesthe need for auditors (presumably also includingthose outside the National Audit Department) to beeffective in their work. In his maiden official speech inParliament, the Prime Minister said (NST,4 November 2003):

Corruption is an odious crime. We must exploremore effective methods to deal with it and in thisregard, prevention is as important as punishment.

Streamlining work processes, reduction of redtape, improvements in the delivery system, aconscious effort to raise the quality of work andmore frequent and effective auditswould reducethe opportunity for bribery. (Emphasis added.)

In

e nations Auditor-General, who is the head of theational Audit Department, has stated in various auditports that inefficiency in the administration of mosate governments and local authorities in the countrys resulted in severe weakness in their management revenues and expenditures. Recent revelation byew Straits Times (NST) (26 September 2002)garding possible misappropriation of assets

M(and which incidentally shows the crucial role playedby internal auditors in uncovering fraud):

Malacca state government has detected assetsamounting to RM21 million missing from its

agency, Yayasan Melaka dating back to 1996.However, RM8 million has been recovered by theinternal auditors appointed by Chief Minister andwere working hard to detect the remaining RM13million worth of assets.

Another motivation for this study concin

gan in the 1990s (Foster and Greenawalt, 1995;hambers, 1996; and Miller, 1999). As a result of this,e Institute of Internal Auditors (IIA) 1997 Globalorum identified a worldwide need to have a greatederstanding of internal auditing (Lower, 1997). Theomotion of internal auditing around the world isesently a priority of

Cviewed as an effort to assist interested parties outsideMalaysia in understanding the nature of internal auditwithin a section of this nations public sector. Perhapsthrough that understanding these parties can in turnassist Malaysians to achieve the successful operationof their internal audit function.

With all these objectives for the study, the followingsignificant outcomes are desired:

To facilitate a better understanding of the mainissues affecting internal audit practice in theMalaysian public sector in the state and local

governments in Peninsular Malaysia. Through theiridentification, the nations policy makers may beassisted in their efforts to imp

To stimulate other research into internal audit. It ishoped that this studys conclus

related sectors such as the Malaysian federalgovernment, co-operatives, NGOs and perhapseven the corporate sector, with particular referenceto development issues in Malaysia and otherdeveloping countries; and

To identify consultancy, training and developmentprograms needed by internal audit units

government entities studied.



4/33

Md Ali et al

Itnepo4

Th

its e. Grier (1934, p. 4)otes that the Zenon-papyri record that internal audits

. According to Flesher and Zarzeski (2002,. 94), these early audits were in many ways similar

(post World War II)ternal audit in that they included both an

ffice of the Auditor General ofanada, 1993 and 1996; Light, 1993; Newcomer,

to focus audits on compliance and regulation, to the

; and little attention toudit findings within agencies by senior managers.

sactions, is staffed by

experienced and untrained personnel, and hasor authority to

ct in the manner expected of internal auditors.

uty to perform internal audits in

very public entity; requires professional training;

is the authors belief that, despite the acceptedgative view of internal audit, change and reform aressible.

LITERATURE REVIEW

e practice of internal audit has a long history, but

goals have changed over timnwere conducted on the Egyptian estate of the Greekruler Ptolemy Philadelphus II approximately 2,500years agopin scope to that of the moderninexamination of the correctness of accounting recordsand an evaluation of the propriety of activitiesreflected in the accounts. In short, the objective wason improving management control over the activitiesof the organization. This contrasts with the situationduring the latter part of the 19

thcentury and the first

half of the 20th

century where the emphasis was onthe detection of fraud. In explaining the turning pointfrom traditional (fraud detection) to modern (businessmanagement enhancement) auditing, Flesher andZarzeski (2002, p. 95) state that the war economy inthe early 1940s played a part whereby the internalauditors started directing their efforts towardsassisting management in any way possible. Andfollowing World War II, the benefit of the auditorsassistance was so obvious to management that therewas no consideration of reducing the auditors scopeto pre-war levels.

In public sector organizations, the internal auditfunction appears to hold high potential for promotingaccountability and improving governmentperformance. Not surprisingly, several countries havedeveloped policies that strengthen the public sectorinternal audit function and enhance their capacity forcontributing to these goals (Auditor-General ofAustralia, 1990; OC1994 and 1998). Policy measures include thefollowing: requiring the establishment of internal auditunits; establishment of standards for the professionalconduct of audit work; training; resource allocation;expanding reporting arrangements and broadeningmandates to make auditors responsible forperformance assessment. Also, the understanding

that internal auditing is an important tool foraccountability has led, in the case of the UnitedStates, to the internal audit functions beingtransferred to Inspectors-General who report findingsto both the Executive and to Congress. Thus, internalaudit is now also a tool for external accountability andno longer merely a tool of internal accountabilityintended to aid senior management of thegovernment organizations.

Nonetheless, available evidence on the recent realityof internal audit operations suggests that there ismuch room for improvement. In the United States,Canada and Australia, the following are the common

findings: inadequate audit coverage, particularly ofareas of major significance and high risk; a tendency

detriment or exclusion of audits of economy,efficiency and effectivenessaFurthermore, in Canada and Australia, professionalqualifications of audit staff are inadequate and thereis insufficient involvement of senior management inaudit planning. As for the Unites States, based upon

his study of the work of the nations Inspectors-General, Light (1993, p. 224) concludes thatgovernment appears no more accountable todaythan before the IG Act.

4.1 Developing nation s examples

As perhaps can be expected, the distance betweeninternal audit ideals and their realities is not unique tothese three developed western countries. In theSudan the situation is far worse. As noted by Brierleyet al. (2001, pp. 73-4), the typical internal auditdepartment in the Sudan is engaged in largely routineauthorisation of tran

ininsufficient credibility, independenceaEmploying interview and observation researchmethods, they conclude that in the few places whereinternal audit may be in operation, it has failed tomeet even one of the five core standards of the IIA interms of independence, professional proficiency,scope of work, performance and management. Toexplain this depressing picture of internal audit in theSudans public sector, the authors consider thecontext within which the internal audit processfunctions. These factors include the countrys pooreconomy, political instability and institutionalisedcorruption. They predict that in such an environment,and without the political will to make the necessarycorrection, internal audit in the Sudanese publicsector will continue to be marginalized in theforeseeable future.

In another developing country the picture of internalaudit in the public sector is also not that rosy. Asnoted by Schwartz and Sulitzeanu-Kenan (2002), inIsrael the recent efforts to strengthen internal auditingthrough a top-down legislative solution have notsignificantly improved the overall performance of auditunits in the lions share of ministries and statutoryauthorities. Specifically, the 1992 Internal Audit Lawplaces a statutory d

erequires access to information; grants a broadmandate that includes audits of economy, efficiency,effectiveness and decision-making, and makesauditors directly responsible to either the Director-General or the Minister. In addition, a 1995amendment requires that senior management discussaudit findings within 45 days of submission. However,Schwartz and Sulitzeanu-Kenan (2002) claim that theLaw has neglected a number of provisions whichwould have improved the effectiveness of the internalaudit function. From a review of the literature, theyidentify three structural variables: audit coveragecapacity (audit staff to total staff, and audit budget to

total budget ratios); professional expertise; andorganizational status. They also identify the absenceof a central body for training and advising public



5/33


sector internal auditors and for monitoring their workas a serious omission in the Law. (They point out thatthis training and advisory body is in operation in theUK and Canada.) Overall, they stress that moststipulations of the Law do little more than to upgradeexisting rules to the statutory level.

After employing a variety of research methodsincluding in-depth interviews with 25 internal auditunits of government ministries and statutoryauthorities, Schwartz and Sulitzeanu-Kenan (2002)conclude that Israeli internal audit units operate wellbelow reasonable capacity and accepted practices.In reaching this conclusion on the effects of theInternal Audit Law on internal audit practice theauthors assessed structure (mentioned earlier);rocess (involving eight variables related to

ith the promulgation of theccountants Act 1967). However it remained inactive

ual general meeting was only held in987 (Azham, 1999). The Institute appears to have

s ofternal audit of 658 organizations in both private and

oting that this report received only ten responses

ompanies, statutory authorities and government

m Ernst & Young, the Malaysianstitute of Corporate Governance (MICG) and the

. But it clearly lacks detailedtandards for the qualification and necessary due

efine and justify without theresence of clear standards (in the form of an internal

pinvolvement of senior management; audit scope; andtreatment of audit findings); and outcome (three typesbased upon the perception of internal auditorscontacted). They utilise the politics of accountability

and policy change theories to explain the causes ofineffectual internal audit legislation and of its relatedweak implementation.

4.2 Malaysia

In Malaysia very little is known of the state of internalaudit in the public sector. The same may also be saidfor internal audit in the private sector. To date verylittle research appears to have been conducted.

The Malaysian Institute of Accountants (MIA) wasestablished in 1967 (wAand its first ann1conducted its first research project in June 1988 less than a year after the statutory body wasactivated in September 1987 (MIA, 1989). The studyinvolved sending questionnaires to the headingovernment sectors, including all companies thenlisted on the Kuala Lumpur Stock Exchange (KLSE)(now the Bursa Malaysia). The response rate was 37percent or 241 organizations. The studys resultsformed the MIAs Report No. 1 issued in July 1989.

Report No. 1 showed that 129 organizations (56percent of the responding organizations) had no

internal audit departments. And out of these 129organizations, 46 mentioned that the internal auditwas carried out by the holding company orgovernment auditors. The report also investigatedthe head of internal audits reporting structures asthey affected the audit report, his requiredqualifications and his audit responsibilities. It is worthnfrom government organizations (recorded asGovernment/Statutory (see Report No. 1, Table B,p. 3)), and that five had no internal audit departments.

In August 1989 the MIA conducted a second studywhich they claimed was more in-depth than the earlier

one (MIA, 1991). Two sets of questionnaires weresent out, one to internal audit managers and anotherto chief executives. There were 106 responses

(19 percent) from the internal audit managers and133 (24 percent) from the chief executives. ReportNo. 2 states that these questionnaires were sent to555 organizations covering both listed and unlistedcdepartments. In contrast to Report No. 1, it does notdisclose how many government sector responses

there were. The report also glosses over the variousand serious issues uncovered by the first study,including the areas of responsibility and reach of theinternal auditors. The MIAs second report attemptedto justify the distressed state of the internal auditfunction in Malaysia as a function of Malaysiasemerging economy status (p. 2), and that internalaudit in Malaysia was similarly an emergingprofession (p. 10).

Besides these two MIA studies conducted in the late1980s, there appears to have been just two otherstudies conducted in the next decade. One was by agroup of Australian academics (Mathews et al., 1995)

on internal audit in both private and governmentorganizations (and which was later used in abenchmarking study by Cooper et al., 1996), andanother, in late 1999, which was a collaborationbetween the audit firInInstitute of Internal Auditors Malaysia (IIAM) (Ernst &Young et al., 2000). The focus was on internal audit incompanies listed at the KLSE (now Bursa Malaysia)and the Malaysian Exchange of Securities Dealing &Automated Quotation Bhd. (MESDAQ). While the MIAstudies were concerned with an overview of internalaudit, the next two focused on the nations internalaudit profile. But just as in the MIA studies, the lattertwo studies also failed to provide much detail on theoperation of internal audit in Malaysia. This isparticularly disheartening considering that Ernst &Young, in its study of internal audit in Russia and theCommonwealth of Independent States (the CIS)(Ernst & Young, 2002a) and another one in theCaribbean (Ernst & Young, 2002b), producedconsiderable amounts of interesting data. Its failure todo the same on the state of internal audit in Malaysiais a little mystifying.

The lack of research into internal audit has providedlimited insight and given little guidance in respect ofinternal audit. Therefore, government departmentsreally only have the internal audit circular, issued as

far back as 1979 by the Treasury in the FinanceMinistry, for guidance.

This circular defines the role and responsibilities ofthe internal auditorsdiligence processes and procedures expected forinternal auditors. Thus, as noted by Chang andDavidson (1999, p. 29) when discussing Audit Lawin the Peoples Republic of China and which isequally applicable to Malaysia, training and educationneeds are hard to dpaudit circular). Also, without a definition of

professional standards in the circular, performanceevaluation, quality assessment and assurance arevery difficult to achieve.



6/33

Md Ali et al

All in all, it is true to say that the major questionsconcerning the public sectors internal audit capacityand its operations have remained unanswered. Thisis obviously not conducive to any serious efforts toready the country to face the challenges ofglobalisation. This study attempts to shine the light ofunderstanding into that black hole and maybe, as far

as internal audit is concerned, Malaysia could set anexample for other developing nations.

There are numerous models for this type of studybesides those used in the Sudanese and Israelistudies mentioned above. An internet search led totwo notable recent studies, conducted in Canada(Canadian Treasury Board Secretariat, 2000) andMalta (National Audit Office, 2000).

The Canadian study was conducted in 2000 by theTreasury Board Secretariat the central agency

sponsible for the internal audit function in the

al audit in theovernment and to propose an appropriate course of

benchmarks indicates that the presenttandards are deficient in a number of respects

ations contained in the report, have hade unintended effect of encouraging other

ailed to all eleven internaluditors: nine responded. Later in July 1999,interviews were also conducted with a number of

n with the Canadian one, anbundance of information of international applicability

mpur, Labuan and Putrajaya,re under the exclusive jurisdiction of their respective

he state governmentsave wide legislative powers to control local

r functioning.

s responded to the research project.one of them had an internal audit department or

ations were not selectedrough random sampling, it cannot be assumed that

.2 Methods of data collection

refederal government. This was in response to many

years of criticism of the state of internal audit inFederal government departments from both insideand outside parliament. The stated purpose of thestudy was: to further analyse the issues raised bythese observers regarding interngaction. The Secretariat consulted with both privateand public sector representatives, including severaldeputy ministers and assistant deputy ministers. Theyalso reviewed submissions and official documentsproduced by interested local and overseas parties,including the Institute of Internal Auditors, based inthe United States, and the Australian National AuditOffice.

In their report, the Secretariat detailed the varioussteps that needed to be taken in order to strengthenthe internal audit operations. A notable one was theneed to review the federal governments internal auditstandards.

In the Executive Summary the Secretariat states:Our assessment of the existing standards againstsuitablesImprovements in these and other areas are needed tobetter align the government standards for internalaudit with those of recognised auditing bodies. Thiscandid admission of deficiency, together with the

recommendthresearchers elsewhere in the world to work onimproving the internal audit operations in theircountries public sectors.

The Maltese study focussed on internal audit ingovernment ministries and departments and tookplace between January 1998 and July 1999. It wasconducted by the National Audit Office (NAO) ofMalta with assistance from an outside consultancyfirm. The aims of the study were to evaluate theinternal audit function and to make recommendationsas to its future role. Data was gathered mainly

through questionnaires ma

government officials, including seven internalauditors. The NAO also analysed relevantdocumentation.

Key issues studied included the administration of thefunction by a central body; the independence ofmanagement support; the level of management

support, and the resources provided for andrestrictions on the function. Various distressingproblems were uncovered and many specificimprovements were proposed. With its concise, no-nonsense manner of presenting the problems and therecommended improvements, this research studyhas, in commoato the process of enhancing the effectiveness of theinternal audit function.

5 RESEARCH DESIGN

5.1 Population and survey sample

The Malaysian government hierarchy has threelevels: federal, state and local. Local governmentsinclude the city, town and local councils, dependingon the territorys population. The federal constitutionstipulates that local governments, outside the federalterritories of Kuala Luastate governments. Thus, thgovernments and to ensure their propeThe population for this study comprised theorganizations forming the state and localgovernments and the state statutory bodies inPeninsular Malaysia (as of May 2003). Specifically,these are:

11 state governments;

93 statutory bodies for state governments; and

98 local governments.

Initial investigations found that a mere 33 out of atotal of 202 qualifying entities possessed internalaudit departments or units. A further two were foundafter the field work had been completed and werealso included in the survey sample. A further 52organizationN

unit.

Since these 52 organizththe results are representative of those organizationsnot contacted by phone. The authors do suggest,however, that the results could be applicable to allorganizations without internal audit service, providedthat their organizational and operationalcircumstances are similar to those organizationswhose personnel were interviewed.

5

The main form of data collection was through face-to-face and telephone interviews. But, documents suchas newspaper reports and audit reports issued by the



7/33


National Audit Department were also reviewed.Finally, during the face-to-face interviews, basicobservation of the interviewees was done. In otherwords, the body language of the interviewees wasrecorded and used to enhance the understanding of

e verbal responses. Despite gathering this data itto an ethnographic

r sociological study. However, the researchers were

also helpssclose the "richness" of social settings for a

other organizations in fact did have internal audit

reasons phone interviewsere conducted with members of these two

allocated to internal audit

tude to internal

ential for

T four parts to the questionnaire: (A)

Practice; (C)

O

u (a), (b), etc. The development of the

n; present

other hand, he/she

common

us is to allow theewer to enter into the participants' perspective

thwas not the intention to turn this in

oaware of a high level of animation (expressive bodylanguage) accompanying the verbal responses, andthis was used to add colour to the purely verbalresponses to the questions. During the face-to-faceinterviews the interviewer also took conscious note ofthe internal audit departments office facilities andresources (presence of filing cabinets, photocopyingfacilities, word-processing facilities, etc.).

The literature refers to these efforts as qualitativemethods of collecting data (Van Maanen, 1979, p.520). These approaches to data collection wereintended to enable the researchers to apply

triangulation to reduce systematic bias in the researchwork (Patton; 1990, p. 470; Miles and Huberman,1994, p. 266). It is interesting that Neuman (1991, pp.329-30) has suggested that triangulation not onlyincreases the "sophisticated rigor" of the datacollection and analysis process, butdiqualitative inquiry. He mentions that quantitativeresearchers would consider the inconsistent picturederived from data on the same social event andcollected by different methods, different researchersor at different times, as "bias" or "error". This he sayswould not be the case for a qualitative researcher.

5.2.1 In-depth interviews

The main bulk of the data was derived from face-to-face and telephone interviews. The face-to-faceinterviews were conducted with the internal auditorsworking in government internal audit departments orunits, while the phone interviews took place withconcerned parties in organizations that did not havean internal audit function. Only after the completion ofthe face-to-face interviews was it discovered that twodepartments. For logisticalworganizations.

The interview questionnaire for the internal auditorsfocussed on the following key issues:

The role, scope and perceived value of internalaudit

The types of activities internal auditors perform

The size, structure and authority of the internalaudit function

The independence of the internal auditors

The resources

The internal audit education, training, skills andexpertise

The government organizations attia

The support mechanism for the internal auditfunctio

udit

n

The interrelationship between internal and externalauditors

The present and future challenges and potchange

here wereBackground information; (B) Organizational Audit

Supportive Efforts for OrganizationalAudit Practice; and (D) Internal Audit in the

rganization and Government Sector as a Whole. Ofa total of 60 questions, 51 were of a closed-ended,structured type (Parts B and C) and 9 were of anopen-ended, semi-structured type (Part D). 12 of theclosed-ended structured type questions had multiple

b-partssquestionnaire is discussed in Appendix A.

The closed-ended structured type questions (SectionsB and C) were concerned with the following: facts,such as the number of internal audit staff;perceptions, such as knowledge elements needed by

internal auditors to ensure the fulfillment of theirpresent roles; and the extent of agreement withvarious prepared statements. As for the open-endedsemi-structured type of questions (Section D), therewere three categories: the history and future of

ternal audit operation in the organizatioinweaknesses and strength of the organizationsinternal audit department or unit; and obstacles to andpotential for change in the operation of internal auditin the public sector as a whole.

Specifically with regard to Section D, the questionswere designed to allow the interviewees aconsiderable degree of flexibility. The same applied tothe questions raised in the phone interviews with theconcerned parties in organizations which did notpossess internal audit departments or units.

Thus, if an interviewee were to show great interest inan issue and wished to develop it further, he/she wasncouraged to do so. If on thee

was not comfortable responding, or claimed to havelittle knowledge of a particular issue, the question wasdropped. This presented the possibility that moreinformation could be collected from some people thanfrom others. In general, the questions were preparedso as to ensure that all relevant topics were covereduring the interviews. It was assumed that ad

core of information would emerge from the interviews,

but no standardized questions were prepared inadvance. The wording and the sequence of questionswere also adapted to accommodate specificparticipants in the actual interviews (Patton, 1990, p.283; Kvale, 1996, Chapter Seven).

The questions were deliberately open-ended toenable interviewees to express their understanding intheir own words. There were no predeterminedphrases or categories from which the intervieweeshould choose. The intention was for theinterviewees' viewpoints to be clearly understood bystudying their terminology and opinions, and byrecording the complexities of their individual

perceptions and experiences. As Patton (1990, p.78) succinctly notes, the purpose th2

intervi



8/33

Md Ali et al

using the assumption that the perspective of others ismeaningful, knowable and able to be made explicit.

6 FINDINGS

All the face-to-face and phone interviews with theinternal auditors took place during the third quarter of

2003 and the first quarter 2004. Out of the 202SLoGBs in the whole of Peninsular Malaysia, it wasdiscovered that a mere 35 had either internal auditdepartments or units (9 state governments, 14 localauthorities and 12 state statutory bodies). (SeeAppendix B for the list of SLoGBs with internal audit

nd the auditors interviewed.) Of the 167 SLoGBsaudit department or unit, a total of

2 of them were contacted by phone in the first

internal auditors frome state governments.

rom a total of 35 SLoGBs that possessed internal

staffing, auditharter and audit independence, occurred within an

ve hadternal audit capacity for no more than three years.

half of the 35 SLoGBsossessing an internal audit function, the experience

he

athat had no internal5quarter of 2004. (See Appendix C for the list ofSLoGBs contacted by phone.)

From this group of 52 SLoGBs that had no internalaudit function, personnel from 48 of these provided

useful data during the phone interviews. These 48government bodies were situated in Perlis (4), Kedah(8), Penang (2) Selangor (5), Malacca (7), NegeriSembilan (3), Pahang (8), Terengganu (4) andKelantan (7). No phone calls were made toorganizations in Perak and Johor because informationat hand was that the internal audit function in thesebodies was being carried out bythForty-five of the 48 organizations in this categoryconsidered internal audit to be an important tool fororganizational improvement. Unfortunately, a meager10 organizations said their organizations would beforming internal audit departments or units in the nearfuture, while five others said that there was a chance

Table 1: Age of internal audit department or uni t in t

that the internal audit function might be outsourcedinstead. Two more organizations had just set up theirinternal audit functions. Among the 10 who said thattheir organizations would establish internal auditfunctions in the near future, two said that theirorganizations would opt for internal audit outsourcing.

A variety of reasons as to why their organizations hadfailed to form internal audit departments or units in thefirst place were presented. The more frequent reasonwas the small size of their operations.

Faudit functions and that were interviewed (33 face-to-face; 2 by phone), it was found that they wereexperiencing a variety of problems in the auditoperation. Some issues, such as auditcinternal audit department or unit itself. These may becontrasted with those issues and problems involvinginteractions between audit personnel and other

government personnel from outside the internal auditdepartment or unit. These outside parties include thetop management, departmental heads and non-auditpersonnel. These issues are discussed next.

6.1 Age of internal audit

Table 1 below shows that 16 SLoGBs (nearly 46percent) have had internal audit capacity for no morethan five years. In fact, nearly a quarter hainAll in all, for just overpis still a relatively new one.

organization

Total %

Less than 1 year old 2.91Over 1 year old but less than 3 year old 7 20.0

8 22.94 11.4

ver 10 year old 42.9

Over 3 year old but less than 5 year oldOver 5 year old but less than 10 year oldO 15

Total 35 100

At the other ehave had an i

and this shoul a positive factor. Anin-depth look es a more complicated picture.

or at least one organization the internal audit

guidance are not available. s therefore notsurprising that t little audit they do conduct is

related to the monitoring of p management an area most fa u ad.

rganisationsave no diploma holders in their departments; 31%

ee holders, and 80% have noasters degree holders.

xtreme 15 SLoGBs (over forty percent)nternal audit function for over ten years

d at first glance beprovid

Ffunction was apparently established in 1980 but wasonly in operation for the next two years. In early 2003,the internal audit function was reactivated, with a staffcomplement of two. Earlier, the internal audit activitieswere suspended due to the transfer of the auditpersonnel to other parts of the organization and itsrelated bodies. But even with the recent reactivation ,the audit head has still not been able to focus fully oninternal audit because of being assigned by theorganizational head to another, unrelated job. Whatmade it worse is that both audit head and his

assistant lack audit competence. In addition the auditprograms that are supposed to be in place to provide

6.2 Audit staffing

Within the 35 SLoGBs covered in this study, there arefifty eight diploma holders, thirty four first degreeholders and seven masters degree holders workingas internal auditors. (See Table 2 below.)

Also noteworthy is the fact that 14% of o

It iwha

rojectmiliar to the a dit he

hhave no Bachelor degrM



9/33


Table 2: Total number of diploma, bachelor degree and

Diplom

master holders

a

No. of organisations No. of diplomaholders

Total no. of diplomaholders

%

5 0 0 0.0013 1 13 22.41

12 2 24 41.381 3 3 5.172 4 8 13.792 5 10 17.24

35 Total 58 100.00

Bachelors Degree

No. of organisations No. of bachelorsdegree holders

Total no. of bachelorsdegree holders

%

11 0 0 0.0015 1 15 44.128 2 16 47.061 3 3 8.8235 Total 34 100.00

Masters Degree

No. of organisations No. of mastersdegree holders

Total no. of mastersdegree holders

%

28 0 0 07 1 7 100.00

35 Total 7 100.00

In the closed-ended section of the interview, auditorsfrom over two-third (or 24) of the SLoGBs voiced theirdissatisfaction with the total number of staff working intheir audit departments or units. The problem ofinadequate numbers of audit personnel was alsomuch stressed by auditors from the majority of theSLoGBs in the open-ended section of the interviewsession. In fact it was seen as one of their main

problems which is not surprising considering that outof the 35 SLoGBs, twenty of them (just over 57percent) have a staff complement (including clerical)of no more than five. A mere 4 SLoGBs (just over 11percent) have more than 11 audit personnel (seeTable 3 below).

Table 3: Audit personnel available

Total %

Fewer than 3 5 14.29Between 3 and 5 15 42.86Between 6 and 10 11 31.43Over 11 people 4 11.43

Total 35 100.00

The shortages in audit personnel as perceive by those interviewed is shown in Table 4 below.

Table 4: Audit staff inadequacy

Total %Inadequate by 3 or less 13 54.17Inadequate by 4 to 5 4 16.67Inadequate by 6 to 10 5 20.83Inadequate by over 11 staff 2 8.33

Total 24 100.00

In one particular organization whose audit operationhas two staff members (compared with theorganizations total of several hundred employees,and a budget of tens of millions of Ringgit), it resortsto the use of students from local institutions of highereducation, who are undergoing practical training (aspart of their degree program), to conduct internal

audits!

In another case, the internal audit operation has fewerthan five members but their audit responsibility is soextensive that they resort to seeking assistance fromcolleagues working in other departments within theorganization. Problems arise when the assistance isneeded for long periods, or when their departmentalheads are reluctant to let them go.



10/33

Md Ali et al

6.3Audi t t raining and development yet progressed tThe open-e ewlack of audi thefaced by auditors in LoGBs. In many eheads of the internal audit operations themselvesacknowledge that they do not possess full

competence for their posts, and they must be lutedfor their honesty in ac wledging their short ings!Unfortunately the rec ition of the problem s not

o upgraded qualifications becauseappropriate courses and workshops that are

SLoGBs are not yet preparedt be seen Table 5, auditorsfrom jus oGBs (less th quarter) believethat the currently offered tr programs aresufficient r auditors from fifty percent of

the SLoGBs, the view is that t rams attendedare not sufficient at all.

Table 5: Opinion on ining and de s

rrent

nded part of the intervit competency is one of

revealed that amain problems

cas s, thS e

sakno comogn ha

theavailable are costly ando pay for them. As can

t ei t SLin

gh an aaining

. Fo nearly

h ge pro

staff tra velopment programme

Sufficient Complete Cu

To tal %Total % tal % To

Yes 22.9 5 14.3 11 31.48

No 17 48.6 16 45.7 12 34

No nt 0 1 2.9 1 2.9

No nswer 28.6 13 11 31

Total 35 100 35 100 35 100

.3

Comme 0

A 10 37.1 .4

There is a possibil rtaappropriate development and training prby government intern ditors may be ca byfactors other than financial. In one particular

terview, it was mentioned that there are not many

nly five auditorsraining on offer

was sufficient and eleven or less than a third)believed it had current relevFinally, it may be worth oneparticular organization, w longestablished and well-staffed intern

e one approach being pro to deal with staff

ith the presence ofars to be aware of

the significant role played by internal audit, it is

e s could w be implementedin du6.4 Knowl ge elements

s defined by Ridley & Chambers,998).

Thus, as can be seen in Table 6 below, the currentfocus is on issues such as interrogation techniques,

s of controls and financial accounting, whereasanced , featuring risk vocabulary,

ncepts and gement techniques, globalizationd forensic g, are not part of the core issuescused on.

t when t ors from the 35 SLoGBs werechanges in theauditors in the

future, all of them gave positive answers, showingthat they expected the futures knowledge elements tobe signi different those needed in theircurrent w environm

Table 6: Knowledg

Knowledge Eleme l %

ity that the sho ge of skills andogram faceds

al au used

ininternal audit related programs available togovernment sector auditors. This was in dramaticcontrast with the many courses for private sectorinternal auditors, which the interviewees alsoconsidered to be superior in content.

Besides the issue of sufficiency, there are the issuesof completeness and current relevance of the

vailable audit training and development programs.

When asked about knowledge elements which aninternal auditor needs in order to fulfill his or hercurrent role in the organization, as was expected, themajority of those interviewed provided answersconsistent with their work environment: i.e. eithertraditional or modern, as opposed to that of theadvanced type (a

aAs may be seen in Table 5 above, o

percent) believed the t(just over 14(

ance.

mentioning that inyith a relativel

al audit function,th posedlacking in competency is to re-grade the internal auditosition in the organization and to create new posts

asked whether they expectedknowledge elements for internalp

for the internal audit department. Wnizational head who appean orga

xpected that such ideae time

ell.

ed

1

typedva issues

co manaan auditinfoBu he audit

ficantlyo g

fromrkin ent.

e elements

nts Tota

Interrogation techn 34 97.14iquesTypes of control (preventive, detective, directive and corrective) 34 97.14Financial accounting

Auditing and analytical skills

34 97.14

33 94.29Communication techniquesLegalRed flags (indicators of fraud such as unauthorised tracontrols, unexplained pricing exceptions or unusually laTypes of frauds

Compu

32 91.4332 91.43

ctions, overrides ofe losses)

32 91.43

32

nsarg

91.43

ter technology 32 91.43Ethics 31 88.57



11/33


Cost accounting 27 77.14Risk vocabulary, concepts and management techniques 27 77.14ISO framework 25 71.43TQM 20 57.14

Globalisation 18 51.43Forensic auditing 15 42.86

Business Improvement Audit, e-Audit 1 2.86

Humanity knowledge, psychology 1 2.86Practical training in private and public sectorWork procedure, policies and service instruction

1 2.861 2.86

Government structure 1 2.861 2.86Technical, i.e. QS and Engineering Skills

6.5 Audit charter

The presence of an audit charter isconsidered of utmost importance for internal ditoand those with who t. This is causethis document shou y least be le tclarify which matter r the purvi f th

in rs. It however that fiveS (ju er n percent) failed to developsuc do t. F the wenty-six (over 86per t) c hat r a harters specify thetype of re sibilit r tas d the authority heldby i nal rs Ta elow).

able 7: Details of audit charter

usuallyau rs

m they interacer

beld at the v

s come unde ab

ew ooe

teLoGBs

rnal audito was foundst ov

cumenfourtee

h a or rest, tcen laim t thei udit cs spon y o k an

nter audito (see ble 7 b

T

Total %

The various types of audit responsibility or task un 26 86.67dertakenThe authority heldDelineation of procedures of responding to auditDelineation of procedures for issuing audit reports

26orts 19

86.67re 63.33p 22 73.33

Interestingly however, sixteen of the audit operationspossessing an audit charter (over fifty three percent)are still required to handle other apecified in the audit charters. Regardi

udit tasks notng the specific

ese include riskes, working

uditors from all five SLoGBs without audit charterst popular task they

to determine whether their objectives have

ed. Only one or two SLoGBs auditors

s are guided by audit charters onlyat IT audits are being conducted (see

T ies or tasks specified in audit charter

Total

stasks detailed in their audit charters, auditors fromtwenty-four SLoGBs (eighty percent of the thirty that

have audit charters) stated that the two most populartasks were appraising the adequacy andeffectiveness of internal controls, and assessing thecompliance with policies, plans, procedures and law.As for the less popular tasks, th

ssessment and governance processaclosely with external auditors, and providinginformation to outside parties (see Table 8 below).

It was found that for all five of the SLoGBs whoseauditors operate without audit charters, theirresponsibilities or tasks were determined on the basisof management requests and interviews. Their nextmost popular approach was by reviewing the findingsof external auditors (see Table 9 below).

Aalso pointed out that the mos

handled was verifying the existence of assets andtheir proper safeguards. The less popular tasks wereno different from those SLoGBs with audit charters:risks assessment; working closely with externalauditors, and assessing the presence of adequatecriteria

een fulfillbstated that these tasks were specified in their auditcharters.

It is notable that IT audit appears to be quiteunpopular for auditors whether acting with or withoutan audit charter. Of the twenty four SLoGBs whoseaudit activitie

x specify thsiTable 8), while none for those without audit charterssay they conduct an IT audit. However, when auditorsfrom all thirty five SLoGBs were asked whetherthey expected changes in the role and responsibilitiesof the audit function in the next few years, twentysix out of thirty three (or nearly eighty percent)

responded Yes.

able 8: Responsibil it

Responsibility/Task %

Appraise the adequacy and effectiveness of internal controls both accounting anded in all the activities of the organization

24 80.00administrative that are appliAssess the extent of compliance with policies, plans, procedures and law 24

n objective and timely reports to the department head so that he/she is informed of t 23 76.67

80.00

Hand i herelevant aspects of the organizational position and performanceVerify the existence of assets and proper safeguards for their protection 22 73.33

improve the working of the governmental body 22

established objectives and goals have been achieved 22information reliability and integrity 20

Suggest steps to 73.33

Ascertain whether the 73.33Review 66.67Conduct financial auditing activities separate from those conducted by the external auditors 19 63.33



12/33

Md Ali et al

Appraise the economy and efficiency with which resources are employed 1918 60.00

pplication of government revenues 17bute towards the organizations governance process by evaluation and recommendin

to the manner in which organizational values and goals are established,preserved, and accountability ensured

17 56.67

d procedures 17 7

the organization and analyse and evaluate controls 15 50.00

eration with the external auditors 15 0he relevant outside agency (such as the Central Authority of Internal 15 50.00

Conduct detailed checks on expenditures prior to payment 14 46.67

63.33Investigate fraudsAscertain the proper a 56.67Contri gimprovementscommunicated andProvide advice in setting up policies an 56.6

Identify and assess risks faced byestablished to respond to such risksConduct financial auditing activities in close coop 50.0Provide information to tAudit for federal government agencies)

Assess the presenwhether its objectives hav

ce of adequate criteria used by the gove been accomplished

ernmental entity in determining 12 40.00

Conduct special projects 12 40.00Some other responsibilities 8 26.67Conduct information technology audits (IT Audits) 6 20.00

Table 9: Approaches to determining audit responsibilities or tasks when no audit charter exists

sibi lit ies or Tasks Total %How to Determine Audit ResponManagement interviewed for inputs 5 100.00Management requests 100.00

Arising 80.00

5

from findings of external auditors 4Rotatio 60.00Audit ri l controls, comp y ofoperati

60.00

Availability of internal audit hours 2 40.00

nal approach 3sk assessment (covering factors such as quality of interna lexitons, length of time since the areas last audit, etc.)

3

OthersExternal auditor requestsAudit committee requests

2 40.001 20.001 20.00

It is notable that auditors from 17 of the 24 SLoGBswho expect changes in internal audit, have identified

IT audit as likely to be the most popular future task(see Table 10 below). The closest rival tasks for audit

Table 10: Future audit responsibilit ies or tasks

in the future were identified by only nine SLoGBsauditors. These tasks are providing advice in setting

up policies and procedures; investigating frauds, andworking closely with external auditors.

Total %

Conduct information technology audits (IT Audits) 17 70.83Provide advice in setting up policies and proceduresInvestigate frauds

9 37.509 37.50

ith the external auditors 9 37.50aluating the manner that

icated and preserved andese processes

7 29.17

ental entity to determine whether 7 29.17

nalyse and evaluat

Conduct financial auditing activities in close cooperatioContribute to the organizations governance process by evorganizational values and goals are established, commuaccountability ensured and proposing improvements toAssess the presence of adequate criteria for the goverits objectives have been accomplished

n w

nthnm

Identify and assess risks faced by the organization and a e controls 7 29.17

ead so that he/she is apprised ofthe relevant aspects of the organizational position and performance

7 29.17

7 29.17ntral Authority of Internal

ment agencies)7 29.17

6 25.00th accounting and

ployed 6 25.00

tection

d goals have been achieved

established to respond to such risksHand in objective and timely reports to the department h

Review information reliability and integrityProvide information to the relevant outside party (such as the CeAudit for federal governAscertain the proper application of government revenuesConduct detailed checks on expenditures prior to payment

6 25.00

Appraise the adequacy and effectiveness of internal controls covering boadministrative aspects that are applied in all the activities of the organizationAppraise the economy and efficiency with which resources are em

6 25.00

Suggest steps to improve the working of the governmental body 5 20.83Verify the existence of assets and proper safeguards for their pro 5 20.83

Assess the extent of compliance with policies, plans, procedures and law 4 16.67Ascertain whether established objectives an 4 16.67Conduct financial auditing activities separate from those conducted by the external auditors 2 8.33



13/33


6

TaFam

ho did confirm meeting wmanagement, they usually noted the presemany other parties in such meetings, includi

ous adsrnal audit department or

nit, amongst others.

T

.6 Internal audit execution interviewed w

here are many signs that the performance of theudit activity leaves a lot of room for improvement.irst, over one-third (or 12) of the SLoGBs internaluditors have no regular meetings with top

head of the organization, the varidepartments, the head of inteu

anagement (see Table 11 below). But of those

ith topnce ofng the

he of the

able 11: Regular meeting wi th top management

Total %

None 12 34.29Fewer than 3 2 5.71

.00

35 100.00

Between 3 and 7 14 40.00Over 7 times 7 20

Total

S asth

(see Table 12 below). Again from Table 12 thpopular approach to identifying audita are

tified

Total Entities with auditcharter (30)

Entities wiaudi art

econd, regarding the identification of auditable areithin the organization, a third of the SLoGBs wiw

audit charters failed to conduct a risk assessment by referring to previous audits.

e mostas wasble

Table 12: How the prob lem/auditable areas are iden

thoutt ch er (5)

Previous audit results 32 28 4Management requests 27 23 4

34

occurred 18 17 1

Cyclical audit 26 23Risk assessment factors (such as quality of internal

, last time24 20

controls, complexity of operations, etc.) deemed highaudited

Alleged irregular conduct

nother sign that all is not well in internal audit in

ssee

stated that there was no obstruction to their accessinga lyqM

Iepap reviewing of

aa

On the positive side, over thirty internal audit

ditee, andthe development of recommendations wheneverappropriate.

This should augur well for internal audit in theSLoGBs concerned. But on further in tigasad reality is that there is a lack of gani l

n a numb of S .eral interview th tnsidered to be of little

auditee organizations. This is probablythorit has

interest in whether or not an auditee implements the

esrelease of the audit report is essentially the end of the

T

Total

ASLoGBs is the fact that internal auditors from fiveSLoGBs (just over 14 percent) were not given accessto certain sections of their organizations. It is alsoworth noting that in one particular interview it wastated that there was no obstruction to access. In the

heads stated that the following activities wereamong those that routinely took place during theirauditing: performance of follow-up audits on all auditfindings after the presentation of the audit report;discussion of recommendations with the aus

next breath the interviewee stated that acceends on CEOs final say. Another interviewdep

ll sections of the organization. This was immediateualified by the statement: except for the office of theayor.

t is discouraging to find that certain activities usuallyxpected of internal auditors are not that frequentlyerformed (see Table 13 below). Thus, the following

As emerged from sevfindings are always coimportance by

udit tasks are seldom considered during thelanning stage: the potential fraud risk;

because nobody in higher au

udit working papers by senior auditors, andssessing risk.

suggestions made by the auditor. As a r

ves tion the or zationa

openness towards changes i er LoGBss, e audi

y shown

ult, the

audit process.

hen auditingable 13: Specific activities undertaken w

%

Conduct interviews 34 97.14

Prepare audit report 33 94.29Prepare annual audit plan detailing the auditable areas, the resources required andduration of each audit activity during a calendar year

33 94.29

Review prior audit reports and other relevant documentations 32 91.4331 8

f the audit 31 88.57

31 88

82

Develop work papers 8.57Perform follow-up audits on all audit findings sometime after the issuance oreport

Discuss recommendations with auditee 8.57Develop recommendations when appropriate 31

Disseminate audit outcome to the appropriate individuals 29

8.57

.86



14/33

Md Ali et al

Require written response from auditee (to include among others plans for correctiveaction and the date by which action will be implemented)

29 82.86

Maintain an awareness of the potential for fraud while auditing 29 82.86Use audit aids such as flowcharting, internal control questionnaires and checklists 29 82.86Evaluate the relevance, sufficiency and competency of evidence 28 80.00Monitoring the progress of audit work 27 77.14Use computer 25 71.43

Consider the potential for fraud during planning stage 24 68.57Perform Analytical Review Procedures 24 68.57Review audit work papers by senior auditors 24 68.57Execute judgmental sampling 22 62.86Execute statistical sampling 21 60.00

Use risk assessment technique to inform the audit planning and resource allocationprocess

17 48.57

Some other operational details are executed 4 11.43

The internal auditors assessment of their currentperformance corresponds closely with theorganizational and structural problems andobstructions discussed above. Thus, as can be seen

in Table 14 below, internal auditors from 14 SLoGBs(forty percent) could only manage to rate their auditperformance as Average.

Table 14: Performance of in ternal audit department or un it

Total %

Excellent 5 14.29Good 16 45.71Average 14 40.00Weak 0 0.00Very Weak 0 0.00

Total 35 100.00

A clear indication that there is a lot of room forimprovement in internal audit in the SLoGBs asidefrom the fact that a mere 35 out of 202 of them inPeninsular Malaysia have an internal audit

department or unit - is the fact that auditors from 22SLoGBs (or over sixty percent) said that there was noassessment program that covered all aspects of theinternal audit activity and which continuouslymonitored its effectiveness,. Among those auditorswho said that there were assessment programstaking place, one claimed that it came in the form ofexamination by internal auditors attached to the stategovernment, and included the presentation of a reporton the function, tasks and effectiveness of internalaudit at the states exco meetings.

6.7 Aud it independence

For both external and internal auditors, their

independence from those whom they audit is crucialfor the success of their function. For internal auditorsit is more difficult to achieve independence becausethey are actually employees of the organization theyaudit.

Thus, it is surprisingly pleasant to find that auditorsfrom twenty-five SLoGBs (over seventy percent) saythat the internal audit function is placed high up theorganizational chart. Also, audit findings arefrequently communicated with relevant parties for allSLoGBs. In each organization this is a formal, writtenreport, and in a majority of cases (31 or almost ninety

percent) the recipients are the organizational heads.In five cases, the written reports are supported by oralpresentations. In thirty-one SLoGBs (or almost ninetypercent), the written reports include the management

action plan which clearly identifies for eachrecommendation, the actions to be taken and theirtiming. In cases where no such action plan ispresented, two of them claim that the partiesmentioned in the report are required by theorganizations to respond to the reports by filing actionplans or other responses to parties such as the headsof the organizations, the audit committees, or headsof internal audit departments.

As can be seen in Table 15, it is also particularlyencouraging to find that in 30 cases (just over 85percent), the auditors are in fact required by theorganizations to monitor whether or not therecommendations made in the audit reports have

been acted upon. In one particular case, an auditeewas given two weeks to respond to an audit report.And two weeks after the response had been made,the auditor was required to verify whether the auditeehad in fact taken the needed action. Unfortunately,there are also four cases (just over eleven percent)where the auditors are not required by theorganizations to do follow up, and neither has anyoneelse in the organization been asked to do themonitoring. In one additional case, the participantfailed to provide any answer. Here, it is also likely thatno follow up is performed or expected.



15/33


Table 15: Audit monitoring of the actions taken up byaudit report

ot

the relevant parties upon recommendations in the

T al %

Yes 30 85.71No 4 11.43No Answer 1 2.86

35 100.00

Besides the monitoring issue, there are other issuesaffecting indepe ly by internalaudit personnel rom a list of questionswhere answer Yes, No, NoComment or nd that in fourSLoGBs (just o rcent) the auditors wereot able to sa they were free to allocate

techniques to accomplish the a es. Also, infour SLoGBs th w le to say thatthey were free to obtain the necessary assistance ofpersonnel in areas of the org eing audited;and, in seven SLoGBs (twe ent) the auditorsfailed to say that they wer to produce auditreports where the contents t be to the liking

ne

Yes % Other than %

ndence, and faced dai in SLoGBs. Fs were either

as fouOthers, it wven pever ele

y thatnresources, set audit frequencies, select subjects,determine scope of work and apply appropriate

of those associated with the organizations they comefrom (see Table 16a below).

able 16a: Independent issues faced by audit person l

udit objective auditors ere unab

anizations bnty perc

e freemight no

T

Yes

Face no obstruction to audit regardless of offices, records,p

33 94.29roperty and personnel

2 5.71

H nior personnel 33 .29 2 5.71F resources, set frequencies, select subjects,d uireda

31 88.57 4 11.43

F ssistance of personnel in areas ofth formed

31 88.57 4 11.43

Free to produce audit reports where the contents may not be tow

28 80.00 7 20.00

ave regular access to se 94ree to allocateetermine scope of work and apply the techniques reqccomplish audit objectivesree to obtain the necessary a

to

e organization where audits are per

the liking of individuals or groups working or associatedorganization

ith the

Doubts about audit personnels independence mayalso arise in another two situations (see Table 16b).First, auditors from six SLoGBs (just over 17 percent)were not able to say that they were free fromperforming operational tasks such as preparinginventory records and other basic accountingdepartment functions.

Table 16b

Second, auditors from 16 SLoGBs (nearly half) wereunable to state that they are incapable to direct theactivities of personnel outside their audit departmentsor units who have not been assigned to assist them.

: Addit ional independent issues faced by aud

it personnel

No % Otherthan No

%

Perform operational duties for the organization or its afcompiling inventory records, participating in departmentaprocurement boards, involvement in accounting process

Direct the activities of any organization employee not emthe Internal Audit Department except to the extent suchave been appr

filial,

phopriately assigned to assist the internal au

tes such as

etc.

29 82.86 6 17.14

loyed withinemployeesditors

19 54.29 16 45.71

The fact that there are issues worth considering about the independence of internal auditors in SLoGBs mayb the fact that auditors from 14S at they have encounteredtmcS

Ta swers thata ers int

With regard to obstructed access to auditingoffices, records, property an onnel, itorsfrom only two SLoGBs cla at th ditactivities were restricted by th izati ee

whe ey we edtions in their orga ns

ich were off limits, auditors from fivean ooGBs agreed that there were h sect

uestion of whe ditaccess to or

management, auditors from tw Bs edthat they did not have fre t acc eeTable 16a), although earlier, itors ll

e clearly seen fromLoGBs acknowledged th

hreats in their jobs. Auditors from nine SLoGBsention that these threats include scratching of their

ars, puncturing the tires, verbal abuse and abusive

Table 16a). But earlierwhether there were sec

MSs.

he final issue regarding the independence of internaluditors

Also, in regard to the qpersonnel have frequent

in SLoGBs is concerned with anppear to contradict interviewees other answhe interview sessions.

d persim th

auded eir au

e organ ons (sn th re ask

nizatiowhSL

d not twsuc ions.

ther au seni

o SLoG indicatquen ess (s aud from a



16/33

Md Ali et al

35 SLoGBs claimed to communicate frequently withrelevant parties on audit findings.

disseminate information

l activities forion. However, in the open-ended

organizationtask of

the organization.

6

A a halfation

lack of understanding of the role of internal audit asindependent apprai n in the organizations(see Table 17a). Ma l auditor isviewed by non-audit l as mainly interested infinding out other faults. One particularinterviewee stated: department does not

and u standimembers of the department.

sed-ended section of thew, auditors from 25 of the SLoGBs (just over

71 percent) either agree or agree strongly t reis a lack of appreciation of the v and im ce

of internal audit in the organizations (see Ta ).One interviewee stated: They focuscenters.

The need for improved co-operati ndternal auditors eir

clients, revealed in the closed question portion of thequestionnaire, is confirmed by various commentsmade in response to the open-ended questions. Many

than looking for otherpeoples mistakes. In another interview, it was

oned that the prevailing view among non-auditnnel was that the work of internal auditors has

made th k more co ated than necessary. Inother wor they have rception that their workwould be er withou rs.

able 17a: Audit - non-audit personnel interaction

There was also one particular case where, in theclosed-ended section of the interview session, the Finally, from the clo

responses indicated that the internal audit intervie

personnel do not conduct operationathe organizat

section of the interview, the responses clearlyindicated that the head of thespecifically assigned the audit head thepreparing group accounts for

.8Audi t - non-audit personnel interaction understanding between in

uditors from 18 SLoGBs (fifty one andercent) feel that the level of support and cooperp

from other parties inside the organizations is actuallygood. In strong contrast, auditors from 13 SLoGBs (orjust over 37 percent) either agree or agree stronglythat there is little support and minimal cooperationrom others in the organizations being audited. Again,

of these comments are concerned with the negativeperception held by non-audit personnel: as aninterviewee pointed out, auditors are believed to beinterested in nothing more

fauditors from nearly seventy five percent of the

Bs either agree or agree strongly that there is a mentipersoSLoG

sal functiothat the internany say

personnespeople

The head of

nder ng to all

hat thealue portan

ble 17ajust on profit

on aand th

eir wor mplicds, the peeasi t audito

T

Strongly

Agree

Agree Not Sure Disagree StronglyDisagree

Total % Total % Total % Total % Total %

There is little support and minimal cooperation

coming from others in the organization for theInternal Audit Department to be able to conductits activities successfully.

1 2.9 12 34.3 4 11.4 17 48.6 1 2.9

There is a lack of understanding of the role ofinternal audit as an independent appraisalfunction within the organization.

7 20

There is a lack of appreciation of the value andimportance of the Internal Audit Department inthe organization.

5 14.3

19 54.3 3 8.6 6 17.1 0 0

20 57.1 5 14.3 5 14.3 0 0

Some other comments raised by intervieweesoncerned those auditee staff whose jobs and

ed on (negatively) by theternal auditors. Typical responses to the audit report

kings, and with little more than silence fromgher up the organisation, the internal auditors have

atters raised relate to the performance of those high

p in the organizations concerned. These people,equently on a higher salary grade than the internalaudit head, pull rank and have the auditors

In reality however such supportive organizationalheads are hard to find in SLoGBs. In fact many

organizational heads seem to actively sabotage theviability of the internal audit process by ensuring thatthe departments are under-staffed, and that those

cperformances were commentininclude necessary actions shall be taken, but

nothing further happened, or that this matter shall bemade certain to never recur, but are in fact allowedto reoccur year after year. But with no power toensure that the auditees make good on theirundertahivery little option except to suffer in silence.

Fortunately or unfortunately, this occurs most often inordinary cases such as records not up-to-date. Incases considered serious, the internal audit headsmay resort to sending of appropriate letters higherup. Problems may occur however when thosem

ufr

admonished for having dared to write suchreprimands!

6.9 Audi t top management interaction

It is our contention that the two problems of under-staffed internal audit departments and of internal auditstaff with inadequate skills could be overcome if theheads of the organizations possessed the intentionand will to get the best for and from theirdepartments. Similarly, the negative perception ofinternal auditors as fault-finders whose comments cansafely be ignored, could be reversed if organizationalheads were to actively support and place positivevalue on the activities and reports of the internal auditpersonnel, providing leadership by example.



17/33


staff they do see fit to employ are juniors and/or havedit experience. In a fe

but for one reason or another, the audit reports areminimal au w cases the audit

nnel are further burdened ith duties unrelatedto auditing, with the objective of preventing the auditfrom occurring.

In one particular organization th on

several occasions requested permission from hisuperiors to hire additional staff. The standard

urprising that the audit head comments that he/she

wards the internal audit department: whether its

presence or absence would have any material impacton the futw does.

Isatdsat cus has changed from financial

anagement to other responsibilities that supposedly

eatment, compared to a fewthers, all is not quite lost for internal audit in this

e to audit whichever departments, records, assetsand personnel they see fit. They are also free toaoat

it

the organizational head.

not sent to the organizations head.

audit reports to thenizatio d does not, however, guarantee

y w ead. There is widespread apathywards au ports amongst heads of SLoGBs.

his was d by many of those interviewed,and obviously contributes to the undermining of and

not usually botheredabout the report and the function played by theinternal auditor.

One audit h eporte at to nt on oneon put the audit report in cold storage

year. A er i ee reported that theorganization d clined to side w e

itees wh er th proven by the au ofailed to follow ational proceduraudit heads interviewed explained that this was

nizati head needed supportvar dep al heads in order to retain

on as the head of the organiz !sly th as e e auditors confidcess, and the lines of authority.

In addition to organizational heads failing to take auditports seriously, there are others who expect the

ave succumbed to outside pressure (includingpolitical) that has persuaded them to ignore thefindings of misconduct by the internal auditors.

This auditor is from a te w n fo ecorruption of i vil s nts icians, as

by er po erfe ations

nment organizations suspend standardoc es ing t action

tside gove , and h indvery well be politicians). In other words

in authority in the government sector arecolluding with those in the private sectors to the

imththstprPap ivil

w

Ppr

perso w The submission of the

e audit head has

sresponse has been that not many people areinterested in coming to work in a location where thecost of living is rather high, so there is no point inadvertising for staff! It is also worth noting that in thisparticular organization, the head of audit who issupposed to report directly to the organizational head,has in fact never had so much as a single meetingwith him, even though the internal audit function wasestablished several years ago! It is therefore not

contempt for the internal audit function.As stated by an audit head:

If an auditor were to get a full mandate [from theCEO] and the audit report were to be checkedand monitored by the CEO, this would lead to theaudit report being taken seriously. On the otherhand, if the CEO does not give a reasonable levelof mandate, the auditee is

sfinds it difficult to interpret his superiors attitudeto

nctioning of the organization as a whole, andhat there has as yet been no opportunity to show himhat the internal audit depart

occasia

ment actually

t was also not clear to the audit head whether hisuperior simply had no time for or no interest in theudit department. With no c

audhaveof the

ontact whatsoever withhe organizational head, the audit head is left toecide what the audit focus should be

because the orgafrom the

. Noturprisingly this is the familiar financial managementspects of the organization. It is only quite recentlyhat the fo

his positiObviouthe pro

mcome under the purview of an internal auditor.Perhaps nothing better illustrates the insignificantvalue the organizational head places on internal auditthan the fact that the auditors are sited in a decades-old wooden structure next to the main building!

In spite of this poor troorganization. This is because the auditors are stillabl

llocate resources, determine audit frequency andther related matters. Finally, they are free to produceudit reports even when their contents may not be to

attested toPolitical inteheads of gover

he liking of certain parties in the organization. What

s also satisfying is that the departmental heads withinhe organization have rarely failed to implement theuggestions made by the audit head. This is probably

operating pr

operators ou(who maythoses

because the audit head was previously attached tothe National Audit Department, and was the externalauditor for the organization.

Is is notable that for reporting purposes, he/she sendsthe reports to both the states treasury unit and to thebranch office of the National Audit Department, whichis located nearby. No such reports are howeverissued toThis experience is probably typical of audit units in

general, where, on paper, the internal audit function issupposed to file reports to the organizations head,

orga nal heathat the ill be r to dit re

T mentione

ead r d th p manageme for

noth nterviewal heaenev

was iney were

ith thditor t

organiz es. One

onalartmentious

ationence inis h roded th

reauditors to file reports on staff misconduct eventhough they have been aware of such misconduct allalong. Worse, there are cases where heads oforganizations have cultivated outside associations, orh

staerva

ell-knowand politss th

r thts ci

numrence h

ous exere refers to situ

Internal Audit in the States and Local Government of Malaysia

Documents

Transcript of Internal Audit in the States and Local Government of Malaysia